Twitter Limits SMS-Based 2FA To Blue Users Only

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Feb 20, 2023 02:19 am PST

Twitter has stated that it will no longer enable SMS two-factor authentication unless you have a Twitter Blue subscription. However, there are multi-factor authentication alternatives that are more secure, which we outline below. Twitter said this week that non-Twitter Blue users who use SMS 2FA authentication must convert to another 2FA method by March 20th, 2023, or their account will be deactivated.

Twitter issued a fresh blog post with a warning: “Non-Twitter Blue subscribers have 30 days to stop using this method and enroll in another if they are already enrolled. “We will no longer allow non-Twitter Blue subscribers to use SMS messages as a 2FA option after March 20, 2023. Accounts that still have text message 2FA enabled will have it turned off at that point.”

According to Twitter’s account security report, only 2.6% of users employ two-factor authentication, covering data between July 2021 and December 2021. These users utilize hardware security keys 0.5% of the time, authenticator apps 28.9% of the time, and SMS 2FA 74.4% of the time.

Elon Musk claimed that the adjustment was because fraudulent 2FA SMS texts cost them $60 million yearly. After this policy change, Musk defended it by saying that authentication applications “are significantly more secure than SMS,” most likely alluding to the danger of SIM-swapping assaults on mobile devices.

SIM swapping attacks occur when threat actors deceive or bribe carrier staff into reassigning the target’s mobile phone numbers to attacker-controlled SIM cards.

Security Key Or Authentication App As 2FA Authentication Option

This gives the threat actors the ability to utilize the phone number on their own devices, receive SMS texts from the victim, including SMS MFA codes, or enter into accounts that require a phone number as part of the credentials.

You must now use a Security key or an authentication app as your 2FA authentication option if you intend to skip signing up for Twitter Blue. Even though a lot of people disagree with how this new policy is being handled and implemented, it could improve security for users who decide not to sign up for Twitter Blue.

This is as a result of you will have to secure your account using more secure methods. The safest method is to sign in to an account using a hardware security key, like a Google Titan or Yubikey, which are little devices with USB or NFC connectivity.

As physical objects that must be plugged into a computer and in your possession to log into your account, they are said to be the most secure. Therefore, even if someone steals your 2FA tokens through sophisticated adversary-in-the-middle phishing attacks or SIM swapping operations, they cannot overcome 2FA if they obtain access to your credentials.

The alternative is to utilize a two-factor authentication program, like Authy, Microsoft Authenticator, or Google Authenticator.

The website will display a QR code you scan with the authentication app when configuring 2-factor/multi-factor authentication there. After being scanned, the website will be registered in the app to produce the 2FA codes needed to get into your account on another website.

In the event that a threat actor obtains your login information, they will be unable to log in because they lack access to the code issued by your mobile app.

The issue with authenticator apps is that if you misplace your phone, you also lose access to your 2FA credentials, which makes regaining access to websites challenging and time-consuming.

To back up your 2FA settings to the cloud so you may restore them if you lose or erase your device, Microsoft Authenticator and Authy both offer this feature. As a result, either app is a fantastic option for your authentication app.

When not transmitting codes to another device when using Authy, make sure to turn off the “Allow Multi-device” feature. Otherwise, someone might be able to access your Authy account if your phone number is compromised.


Twitter has stated that its Blue subscribers will be the only ones who can use SMS-based two-factor authentication (2FA). The company claimed that despite previously being a popular type of 2FA, “we have seen phone-number based 2FA be exploited – and misused – by unscrupulous actors.” “Except for Twitter Blue subscribers, we will no longer let accounts to enroll in the text message/SMS mode of 2FA.” Twitter users who have signed up for SMS-based 2FA but haven’t subscribed to Blue have until March 20, 2023, to convert to a different method like an authenticator app or a physical security key. Non-Twitter Blue subscribers will no longer have access to this feature after this deadline.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Keith Walsh
Keith Walsh , Director, OT Strategy and Operations
InfoSec Expert
February 22, 2023 3:09 pm

“Twitter has recently announced a decision to disable SMS-based two factor authentication for users who do not subscribe to the paid subscription service Twitter Blue. Users will be given 30 days to disable the feature and switch to another factor of authentication. If users do not perform these actions before the 30 day cut off, the SMS-based authentication will be disabled without a substitute in place, and only have a password for authentication until another factor, such as using an authenticator app or security key, is set up.

“While this is very concerning news, the larger issue is the majority of Twitter users are not securing their accounts with any form of MFA. According to a report released by Twitter in July 2022, only 2.6% of accounts had two factor authentication enabled as of December 2021, and 74.4% of those accounts are using SMS as an authentication factor.

“SMS-based two factor authentication is a weak authentication method as it can be easily exploited using techniques such as sim swapping. The use of an authenticator app or security key is considered stronger as they are not vulnerable to such attacks. Although SMS authentication is considered weak, it is still more secure than using just a password.”

Last edited 6 months ago by keith.walsh

Recent Posts

Would love your thoughts, please comment.x